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November 4, 2020 

Privacy Office, Attn: FOIA Appeals 

U.S. Department of Homeland Security 

2707 Martin Luther King Jr. Ave., SE, Mail Stop 0655 

Washington, DC 20528-0655 

(also sent by e-mail to < foia@hq.dhs.gov > 

FREEDOM OF INFORMATION ACT APPEAL 


Dear FOIA Appeals Officer (General Counsel or designee): 

This is an appeal pursuant to the Freedom of Information Act, 5 U.S.C. §552. 

On January 21, 2016, we submitted a FOIA request by e-mail to “foia@hq.dhs.gov”, with a 
copy by postal mail, for: “(1) access to and copies of all records of or pertaining to individuals 
presenting driver’s licenses that are or were not considered compliant, or from states or territories that 
are or were not considered compliant, with the REAL-ID Act of 2005, for purpose of accessing Federal 
facilities and/or passing through checkpoints at airports or elsewhere, including any records of the 
numbers of such individuals, statistical or descriptive records pertaining to such incidents, email 
messages pertaining to such incidents or reports, and any instructions regarding handling and/or 
reporting of such incidents, and (2) any records pertaining to the legal basis for denial or potential 
denial of access to Federal facilities, denial of passage through checkpoints at airports, or denial of 
transport by airlines or surface transportation carriers, on the basis of the REAL-ID Act of 2005, 
including any reports analyzing these issues and any email messages pertaining to them. This request 
includes any responsive records of the DHS or any DHS component agency identifiable as having, or 
likely to have, responsive records, including any email messages or other communications within the 
DHS and any of its components or between the DHS or DHS components and other agencies, 
departments, contractors, airlines or other carriers, or other parties.” 

Our request noted that the request included reports which DHS components and other agencies 
had been directed to send each month to a specific DHS e-mail address, “OSIIS@hq.dhs.gov”: 

“According to “REAL ID Act of 2005 Implementation: An Interagency Security Committee 
Guide”, available at < http://www.dhs.gov/sites/default/files/publications/isc-real-id-guide-august-2015- 
508 Q.pdf >. Section 4.4, “Reporting Requirements”: 
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Your agency should also have a process for recording the number of encounters of 
individuals presenting driver’s licenses from noncompliant states for purpose of accessing 
Federal facilities. This data should be sent monthly to DHS (OSIIS@hq.dhs.gov) for 
collection no later than the tenth day of each month. DHS will use this data to evaluate the 
impact of REAL ID enforcement on the public. See Appendix E for a sample report 
template. 

“The records responsive to this request include the reports produced in response to this 
guidance.” 

This request was received by the DHS FOIA Office by e-mail the same day it was sent, January 
21, 2016, and was assigned your reference number 2016-HQFO-00209. 

As quoted above, this request explicitly and unambiguously sought records of e-mail messages, 
and specifically identified the e-mail address to which the DHS had directed that the responsive e-mail 
messages should be sent. A search reasonably calculated to retrieve responsive records would, of 
course, necessarily have included a search of the e-mail messages received at that address. 

However, the DHS did not conduct such a search for responsive e-mail messages. Instead, on 
June 2, 2016, the DHS sent us a “final” response to this request, dated May 20, 2016. This June 2, 2016 
“final” response included no e-mail messages and only 13 “pages” (actually, “print-view” page images 
embedded within a PDF file also containing the “final response” letter) of “responsive records” 
(actually, files or portions of files created from, and substituted for, responsive records). None of those 
13 page images consisted of e-mail messages. 

After we pointed out the obvious inadequacy of the search, the DHS sent us an e-mail message 
on August 10, 2016, agreeing “to amend your request to include a CIO search of records sent to and 
from the email account associated for the Real ID program which is OSIIS@hq.dhs.gov .” As we 
pointed out in a response that same day, “This is not an ‘amendment’ to our request, which explicitly 
included all records (including electronic records such as email messages and attachments) ‘pertaining 
to’ the subject of the request, and specifically noted that DHS components and other agencies had been 
directed to send relevant reports to this e-mail address. Any competent, diligent good-faith search 
reasonably calculated to retrieve responsive records would have included from the start the digital 
records of and pertaining to e-mail messages to and from that address.” 

To date, the DHS has produced none of the responsive records of email messages. 

Instead, beginning May 3, 2019 (more than three years after our initial request), the DHS has 
sent a series of PDF files which were falsely represented as containing “responsive records”, but which 
in fact consisted of entirely new files created from portions of the responsive records. 

These newly created files were fraudulently and silently substituted for the responsive records, 
and accompanied by the knowingly and materially false and materially misleading claim with respect 
to each interim release that the files sent to us constituted the “responsive records” and, in some cases, 
that the responsive records were being released “in their entirety”. 
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All of the “responsive records” (or files substituted for them) were falsely and misleadingly 
referred to as consisting of “pages”, although e-mail is always transmitted, and almost always stored on 
servers or archival media, in unpaginated file formats. 1 

None of files produced contained all of the informational content of the responsive records from 
which they were derived, such as complete e-mail headers, “message source” data, filenames, or 
filesystem information such as file dates. 

Our request also included detailed, explicit, unambiguous instructions regarding the form of 
production of responsive records: 

“We request that all responsive records be provided in electronic form. 

“With respect to any records held in electronic form, we request that they be provided in the 
original electronic form in which they are held on workstations, servers, and/or backup, archival, or 
other storage media or devices, as complete bitwise digital copies of the original email message files, 
spreadsheet files, word processor document files, PDF files, or other electronic files, including any file 
names, file headers, embedded metadata, file system information, and all other file content. All such 
data is subject to FOIA and is expressly included within the scope of this request for records. 

“We specifically request that you not create new documents in response to this request, not 
create “documents” such as page-view images or print views from digital records, and not substitute 
such newly-created “documents”, images, or views for requested records held by you as digital files. 

“In this regard, we call to your attention the recent OGIS report on TSA FOIA processing 
practices, available at < https://ogis.archives.gov/Assets/Transportation+Security+Administration+ 
%28TSA%29+Freedom+of+Information+Act+%28FOIA%29+Compliance+Report.pdf >: 

During our review, we also noted TSA converted all records into a PDF format prior to 
processing, making it difficult for TSA to meet FOIA’s requirement that agencies provide 
records “in any form or format requested by the person if the record is readily reproducible 
by the agency in that form or format.” PDF is an image format; converting a spreadsheet 
or information from a database into a PDF is akin to taking a page-sized picture of the 
information. In order for all of the information in the record to be seen in the PDF, the 
FOIA processor must make sure that text is not hidden by another cell and that the text fits 
within the page’s margins. Converting databases into PDFs also limits their use to the 
public, because the data in the record cannot be sorted or combined with other sources. In 
one particular instance, we noted a requester had specifically asked for a database in a 
“non-PDF” format; the requester specifically mentioned formats that would allow him or 
her to sort or otherwise use the data. TSA provided the requester with an alternative image 
— based format — TIFF, a format that is generally less searchable than PDF. We recommend 
that TSA look into how records can be processed and released in their native format when 

1. For example, the National Archives and Records Administration (NARA) recommends that Federal agencies store 
archival records of e-mail messages in the form of EML, PST, or MBOX formats. These are also among the most 
common formats used for message storage on e-mail servers and workstations. None of these are paginated file formats. 
See file format recommendations in Appendix A to NARA Bulletin 2015-04, < https://www.archives.gov/records-mgmt/ 
bulletins/2015/2015-04-appendix-a.html >. 
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requested and incorporating any new processes into its SOPs. 

Despite this explicit and unambiguous request, neither any of the responsive e-mail messages 
nor any of the attachments included in them were released in the form and format in which they were 
actually held by the DHS on its (or its contractors’) servers or archival storage media. None of the 
responsive file names, file headers, embedded metadata, or file system information were disclosed. 

Our request with respect to the form and format of production of responsive records was 
entirely but silently ignored by the DHS, without any notice of the denial or any assertion of a basis for 
the denial of this request with respect to the form of production of responsive records or for the 
withholding of those portions of the informational content of the responsive records that were omitted 
from the files substituted for the responsive records. 

On October 2, 2020, we received by e-mail a PDF dated August 20, 2020, containing a new 
notice of a “final” response to this request and that “responsive records” had been referred to forty-one 
DHS components 2 and other non-DHS Federal agencies for review and direct response. 3 The October 
2, 2020, letter also stated that it was accompanied by “responsive records”. 

However, the files attached to the October 2, 2020, message and additional e-mail messages that 
day all contained, once again, newly-created PDF files substituted for portions of the responsive 
records. None of the responsive records of e-mail messages or attachments have yet been produced. 

The October 20, 2020, letter from DHS also stated that, “We are also referring your request and 
571 pages to other federal agencies for their review and direct reply to you.” However, few if any of the 
responsive records were in paginated form, making it highly likely that what was sent to these other 
DHS components and other non-DHS agencies were not the (unpaginated) responsive records of e-mail 
correspondence with those components or agencies, but paginated PDF files of images created from the 
responsive records by the DHS after it received this FOIA request. 

Copies of the “records” referred to other agencies by the DHS, and provided to us by agencies 
that received them, confirm that what those agencies received from DHS were new substitute PDFs, 
falsely and materially misrepresented by DHS to these other agencies as being the responsive records. 

Other agencies that believed in good faith that they were reviewing the “responsive records”, 
and that they were releasing them “in full”, were in fact reviewing and releasing only the new PDF files 
created and (silently) substituted for the responsive records. Even if those other agencies, unlike DHS, 
would have complied with the requirements of the FOIA statute to produce the responsive records in 
native formats, they were unable to do so since they (unknowingly) didn’t have the responsive records. 

2. We still have received no response from DHS components including the Transportation Security Administration (TSA). 

3. We had previously received a CD from the DHS - possibly from the FOIA Office, but without any cover letter and 
without any office specified in the return address - postmarked August 5, 2020, which contained no data readable in 
standard CD format except for three files (“autorun.inf’, “mfecc32.dll”, and “MfeEERM.exe”) whose filenames 
suggested that the CD may have contained encrypted data that might be viewable in Windows, if we had a license for 
Windows and were willing to risk executing unknown proprietary binary code on our system. No instructions for 
reading the CD were provided, and we never requested that records be produced in encrypted format. After we reported 
to the DHS FOIA office that we had received an unreadable CD, we received another CD postmarked August 24, 2020, 
that had been inadequately packaged and arrived broken in pieces. We again reported this to the DHS FOIA office. Only 
after this did we receive, for first time, notice of the DHS final response to this request by e-mail on October 20, 2020. 
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We appeal: 


1. The withholding in full of all responsive records for which newly-created files were 
substituted, including all records of or pertaining to e-mail messages and attachments. 

2. The withholding of all informational content contained in responsive records but not 
included in the files substituted for the responsive records, including complete e-mail 
headers, “message source” data, filenames and all other filesystem information, and 
attachments in their original file formats and with their original filenames. 

3. All withholdings of records or portions of records based on review of files substituted 
for the responsive records, and not based on review of the responsive records. 

4. The withholding in full of all responsive records which were allegedly “referred” to 
DHS components or other non-DHS agencies, but with respect to which those 
components or agencies were not provided with the responsive records, but only with 
newly-created files substituted by the DHS for the responsive records. 

5. The denial of our request with respect to the form and format of production of 
responsive records. 

Since the 1996 e-FOIA amendments, the FOIA statute has required that, “In making any record 
available to a person under this paragraph, an agency shall provide the record in any form or format 
requested by the person if the record is readily reproducible by the agency in that form or format.” (5 
U.S.C. § 552(f)(2), effective March 31, 1997). 

The 1996 e-FOIA amendments, including these requirements with respect to the form and 
format of production of records, predate the creation of the DHS by more than five full years. DHS 
officials knew or reasonably should have known, when they first established procedures for processing 
FOIA requests, that they were required to comply with these established statutory requirements. The 
ability to enable compliance with existing statutory requirements should have been part of the criteria 
for evaluating and procuring FOIA processing tools. 

Instead, according to responses to other FOIA requests and appeals, DHS officials chose to 
procure FOIA processing software called “FOIAXpress”, and to standardize on FOIA processing 
procedures that “require” the use of “FOIAXpress” and the substitution of PDF files for all responsive 
records before the substituted files are reviewed, redacted, or disclosed. 

These “requirements” are a matter of DHS operational procedure, but are in direct and flagrant 
contravention of the statutory mandate of the 1996 e-FOIA amendments. 

The use of “FOIAXpress” involves an elaborate multi-step munging and substitution process. 
First the responsive records are viewed in an application program such as an e-mail client, and “page 
view” or “print view” images are captured within the client. Then those images are redacted with some 
sort of image editing software. Finally the redacted images are pasted into newly-created PDF files, 
with images generated from an an arbitrary number responsive files combines into each new PDF files. 
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with a new name and new metadata for the new file. It’s impossible to tell which pages of the 
substituted PDFs correspond to which original files, or any of the original filenames or metadata. 


Independently of the per se violation of the statutory requirement to produce responsive 
records in the requested (native) form and format, this process results in de facto redaction and 
withholding of those portions of the informational content of the responsive records that aren’t included 
in the images pasted into the newly-created PDFs. 

It is obvious that digital files are readily reproducible in the form of bitwise digital copies. E- 
mail messages in EML, PST, MBOX, and other formats are readily reproducible in those formats, 
whether or not the DHS has chiosen to procure or learn how to use the requisite tools to do so. It should 
have been apparent before it was procured by the DHS that “FOIAXpress” was incapable of satisfying 
the requirements already in effect as part of the FOIA statute, and that it would need, at a minimum, to 
be supplemented by other procedures and tools for processing requests for files in non-PDF formats. 

Almost twenty years after its creation, the DHS has had ample opportunity to develop 
procedures and acquire and learn how to use tools to enable it to comply - and if it has chosen not to do 
so, that is no excuse for noncompliance with FOIA requirements. An agency cannot use its own 
deliberate decision not to acquire or learn how to use readily-available software (including free, open- 
source software) capable of editing and reproducing file formats such as the ASCII text files in which 
e-mail is typically sent, received, and stored, or its own (self-imposed) lack of knowledge of how to use 
such software, as an excuse not to disclose records or portions of records maintained in those formats. 

If the DHS chose not to comply with the 1996 e-FOIA amendments when it set up its FOIA 
office and procedures, deliberately procured and then deliberately chose to establish procedures 
directing FOIA staff to rely exclusively on software it knew or should have known was incapable of 
fulfilling its statutory FOIA duties, and has persisted in this knowing and willful systematic disregard 
for the law for almost twenty years longer, now is the time to bring its FOIA operations into 
compliance with the law. Learning how to process e-mail messages and attachments in the native 
formats in which they are held by the DHS or its contractors, such as EML, PST, and MBOX formats, 
would be a good place to start. The law requires no less, and should countenance no further delay. 


Sincerely, 


Edward Hasbrouck 
Consultant on travel-related civil liberties issues 
The Identity Project (PapersPlease.org) 
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